ExtraHop warns of devices phoning home and exfiltrating data

Enterprise cyber analytics vendor ExtraHop has warned of devices phoning home and exfiltrating data out of the enterprise. It has cited four recent examples, one of which involved a UK vendor sending 1TB of data over three days. Its client is a financial services company in the US and the exfiltration raised serious regulatory and compliance concerns.

Jeff Costlow, CISO, ExtraHop

According to Jeff Costlow, CISO, ExtraHop: “We decided to issue this advisory after seeing a concerning uptick in this kind of undisclosed phoning home by vendors.

“What was most alarming to us was that two of the four cases in the advisory were perpetrated by prominent cybersecurity vendors. These are vendors that enterprises rely on to safeguard their data. We’re urging enterprises to establish better visibility of their networks and their vendors to make sure this kind of security malpractice doesn’t go unchecked.”

Why are devices sending data to vendors?

There are many good reasons for devices to be sending data back to a vendor. In the case of printers and servers, this is generally as part of a support agreement. It allows the vendor to identify issues such as a potential failure which results in an engineer arriving on site before the failure happens.

In manufacturing, airlines, medical and other industries it is much more involved. The use of sensors allow the manufacturer to do complex monitoring of a device. That data is fed into a digital twin, a virtual version of that same device. In the airline industry this has meant that highly complex and expensive service schedules have been eased to reduce cost and service disruptions.

With three of the cases, the data being sent was supposedly sent as part of the contract (more on these below). In the fourth case, a member of staff had installed a security camera in their office. It was connected to the network so that the user could monitor it. However, ExtraHop discovered that it also connected itself to a known malicious IP address in China. This meant that it could easily be use to install malware or steal data.

This crossover of enterprise and consumer IoT devices is something that Forescout called out a few days ago.

What was the issue here?

What Costlow and his team discovered here, however, was partly a failure of process and partly suspicious behaviour. The 1TB of data taken from the financial services company was sent over a three day period. It is far too much to have been security analytics data from hardware. This raises the question as to what it was and why it was sent.

When looking at the data, ExtraHop discovered something that was disturbing. Costlow told Enterprise Times: “The times that the data was being sent to the UK was during the working day of UK employees.” If this was security analytics data then data should have been sent back either 24×7 or based on the working day of the US based company. This pattern of data is extremely odd. The report concludes there was: “Potential exposure of PII and violations under Gramm-Leach-Bliley Act. “

A similar issue applies to the hospital case. Device management data was being sent to the cloud. That data transfer was outside of the control of IT and had not been authorised. The net result, says the report, was that this was a: “potential HIPAA violation requiring incident response.” Any activation of an incident response plan requires notification to multiple authorities and could lead to a significant fine.

A third case which involved a security vendor also involved a financial services provider. As with the hospital, data was being sent to the public cloud after a Proof of Concept (PoC) trial had finished. This case is less clear. There should have been rules to prevent data being sent after a specific date. However, who was responsible for that – vendor or customer – is a grey area. Arguably both are responsible.

A need for better controls

All of these cases can be put down to poor process and controls. The consumer camera is a perfect example of the consumer IoT bloat inside offices. These are devices not purchased, owned or known about by IT. As such, they are connected to the corporate network providing an easy ingress route to the business.

The other three are different. In the case of the hospital PoC, there would have been an agreement for device monitoring. The failure to check compliance requirements is a major problem. As compliance and regulation increases, organisations need to be more aware of the impact on any PoC cases.

It is also important that agreements that see data being sent to vendors are clear and monitored. This is especially important when the data is being sent to the public cloud. Every week there is another breach put down to a misconfigured server in the cloud. Both the customer and the vendor should agree on configuration and security.

Costlow says organisations need to: “Track what should be talking to outside sources. Monitor the egress of data. Make sure you know which assets have access to what data and what is then leaving. Understand the value of the data.” This latter point is something that organisations should already have done as part of their breach planning.

In terms of regulation, Costlow believes: “Draconian regulations all have their own ways of dealing with it. Most have a lot to force the right behaviour into the company. Write policy and connect to process.”

Enterprise Times: What does this mean

It’s an unpalatable truth but unauthorised exfiltration of data takes place daily for most organisations. The rise of consumer grade cloud services used by employees and even business units is a good example. IT rarely has a clue where much of that data is going, how secure it is or who eventually has eyes on it.

The rise of consumer is also leading to data disappearing. TVs in meeting rooms and digital voice assistants such as Amazon Alexa and Google mean there are open microphones all over the building. We know that they are recording conversations even before key words are used but that hasn’t stopped their spread.

The issues in three of the four cases here are more worrying. IT was involved in all three, just not as much as it realised. The security team had no clue what data was accessible, being accessed or being sent out of the organisation. It also had no involvement in the securing of the cloud services when data was sent there. This means it did not know if the data was being secured properly or if a misconfiguration would later result in a major breach. Just ask Capital One about poorly configured cloud instances.

IT and the business need to have a serious conversation with each other and, just as importantly, with vendors. Compliance and privacy rules are getting stricter and more expensive. Contracts need to be clear about what data is being accessed, who is responsible and who is going to pay for any breach.

Ian has been a journalist, editor and analyst for over 30 years. While technology remains the core focus of Ian's writings he also covers science fiction, children toys, field hockey and progressive rock. As an analyst, Ian is the Cyber Security and Infrastructure Practice Leader for Creative Intellect Consulting Ltd.
A keen hockey goalkeeper, Ian coaches and plays for a number of clubs including Guildford Hockey Club, Alton Hockey Club, Royal Navy, Combined Services, UK Armed Forces and several touring sides. His ambition is to one day represent England. Ian has also been selected to be the goalkeeping coach for Hockey for Heroes, a UK charity supporting the UK Armed Forces.